Blizzard Giving Thought to Mandatory Authenticator?

According to this recent article over at WoW.com, Blizzard is giving serious consideration to making authenticators mandatory for all accounts.

While I personally think this would be a great idea and could almost eliminate hacking attempts, I still see some problems with it. First there is the entire logistical operation involved with this, even if they provided an authenticator with every copy of the game from now on how would they get it to current customers. They also have a lot of trouble even keeping them in stock currently in the Blizzard Store. One way to combat that would be to make this go into effect during Cataclysm and bundle it with the new expansion and give some kind of grace period before they lock it down. Another issue I foresee happening is a lot of people really just plain dislike having to enter a second "password" that is random every time you login, this is especially bad if you have two accounts that you keep switching between.

Overall I personally welcome our new authenticator overlords when they appear.

So when I follow your link, I get a whole ton more phone options than if I try to download it straight from the mobile.blizzard.com website. (Which is handy because they didn't have my blackberry tour on the main page)

Comment by Anubi

We don't need authenticators. We need people to stop doing stupid things.

Stopping people doing stupid things: It's like going faster than the light. Physically impossibleGive every player an authenticator: Very possible. Just a small logistic problem.Now choose.

Blizzard needs only to plan this thing very carefully, because it's not like an account merge, that you can fix simply by cliking on some webforms.

Comment by Eminence

on 2010-01-10T09:42:44-06:00

giving the authenticator with cataclysm is a good idea

however, what if you dont ugprade?

Comment by snowsurge

on 2010-01-10T10:08:17-06:00

The easiest way to go about doing this is to either A. hand out authenticators with cataclysm or B. Create a program for your computer or if it's possible, a personal browser authenticator program.

Comment by Katalliaan

on 2010-01-10T10:15:44-06:00

snowsurge, if they made a program for the computer to act as an authenticator, then someone who uses malware to take people's accounts could probably use the info that the malware collects to reverse engineer the number generation in order to predict an authenticator code. In fact, all it would take is three accurate guesses to steal someone's account (one to get into the target's Battle.net page, and two to remove the authenticator).

Comment by Interest

on 2010-01-10T21:39:26-06:00

And then there's the problem of if you lose the authenticator....

It's called keeping the serial key filed away and when you lose it just call Blizzard and get it removed. :D

Hmm. Good point. But wouldn't the mandatory need for an Authenticator cause the account to become frozen for a time?

Comment by Strandvaskeren

on 2010-01-11T09:57:22-06:00

The easiest way to go about doing this is to either A. hand out authenticators with cataclysm or B. Create a program for your computer or if it's possible, a personal browser authenticator program.

NO! The whole point of adding an authenticator is that hackers seems to be able to sneak dodgy software onto your computer. All those people are being keylogged because their computers aren't kept safe or they are tricked into downloading malware somehow. Having a software authenticator on the very same computer that are being compromised by a keylogger is pointless..

An authenticator works from the concept that even if a bad guy is able to compromise your computer, he also has to be able to get hold of your keychain authenticator or the authenticator software on your cell phone to get into your wow, and that's why it needs to be on a different platform than your pc..

Comment by superbeefus

on 2010-01-12T10:54:34-06:00

Now. If only they had the Mobile Authenticator for VERIZON customers, then I don't think it would be so bad.. hehehe

Comment by TheReal

on 2010-01-12T14:00:59-06:00

I LOVE mine. The extra 10 seconds to login is 5000% worth it.

Pretty much this (fixed a bit). I'm 100% for making these one-time password generators mandatory, and I believe bundling them with Cataclysm is the perfect method for more-or-less securing almost everyone's accounts.

By knowing that these will be mandatory, Blizz can give advance notice to their authenticator factory that (number of active WoW accounts) - (number of authenticators in use) number of authenticators will need to be produced. Personally, I don't foresee any problems with supply.

Comment by Mattharon

on 2010-01-12T14:10:13-06:00

Someone on my server got hacked even though they have an authenticator. Don't ask me how, but that's ridiculous..

Comment by Ippon

on 2010-01-12T14:12:46-06:00

Someone on my server got hacked even though they have an authenticator. Don't ask me how, but that's ridiculous..

Because he's an idiot and got socially engineered.

No system can prevent against abject user idiocy, authenticators included.

Comment by Strandvaskeren

on 2010-01-12T18:22:29-06:00

Someone on my server got hacked even though they have an authenticator. Don't ask me how, but that's ridiculous..

Only way I can see that happen is:

Victim wants to log into his battle.net account to add game time or whatever. He uses his battle.net bookmark, but haven't notices that some malware has changed the url, and he ends up on a false battle.net login page that looks just like the real one. He enters the required email, password and authenticator number after which the false webpage repeats those data to the real battle.net and puts the victim through to his real battle.net account page. Victim never saw anything out of the ordinary.

Thief now has Victims email, password and an authenticator number that is still valid for a minute or two. He can't change the account password or disable the authenticator without confirming with a new code from the original authenticator (which he don't have). He can however use the email, password and authenticator code to log into wow and start selling, mailing and deleting stuff, but he has to work fast, because next time Victim logs into his wow Thief will be disconnected.

How can Victim avoid this? All he has to do is log onto wow after visiting battle.net, that invalidates the authenticator code used to log into battle.net. Always follow a visit to your battle.net account with a visit to your wow account.

Oh, and don't do stupid stuff like go to a net cafe or lan party, log into your wow account and then leave it unattended while you go to the toilet.

Comment by Barkend

on 2010-01-13T12:20:51-06:00

There are a lot of problems, mainly for those who doesn't live in countries where Blizzard have an "office", like me.

I'm from Brazil and I play in US realms. I would need to buy the autenticator in the Blizz Store, see it price grow up 200% due to taxes and wait around 2 weeks to put my hands on it.

That's is the situation of all brazilians playing WoW (some thousands), and also of people from a lot of other countries.

Comment by Haeleos

on 2010-01-13T14:10:53-06:00

As much as I love this idea, I feel like it would just convince the keyloggers to create more complex programs to work around the authenticators, which would practically make them useless.

I don't know squat about compromising an internet account, but the more accounts that aren't as protected as mine, the less likely that mine'll be targeted.

(Hurhur, makes me sound like an ass.)

Comment by DoctorLore

on 2010-01-13T14:44:40-06:00

If I'm given one, I'll use it. I'm not paying for one though.

Comment by Justinmcg67

on 2010-01-13T16:42:27-06:00

As an iPhone authenticator user, I can say that it never adds more than a few seconds to login times. Just gotta be careful to remove and re-add whenever there's an update.

I use the iPhone app as well and really like it. Became very helpful having it on the iPhone so I can log into my account if I went to a friends house or something, that way I didn't have to take the actual authenticator with me; and since I always have my phone on me it just became more practical.

iPhone+Authenticator=Win

Comment by thelaks

on 2010-01-13T16:53:26-06:00

Thief now has Victims email, password and an authenticator number that is still valid for a minute or two. He can't change the account password or disable the authenticator without confirming with a new code from the original authenticator (which he don't have).

30 seconds. And you need two consecutive codes to disable the authenticator.

How can Victim avoid this? All he has to do is log onto wow after visiting battle.net, that invalidates the authenticator code used to log into battle.net. Always follow a visit to your battle.net account with a visit to your wow account.

You can use the same code, it's purely time-dependent.

Comment by Strandvaskeren

on 2010-01-13T19:22:38-06:00

You can use the same code, it's purely time-dependent.

You can reuse the code used for logging into battle.net. Even though the authenticator creates a new code every 30 seconds, the authenticator server at Blizzard will actually allow the code to work for a couple of minutes to compensate for a time difference between the server time and the internal time of your authenticator.

Logging into battle.net and then reusing the same authenticator code to log into wow is possible within a time span of a minute or two.

Logging into wow and then reusing the same authenticator code for logging into wow or battle.net doesn't work. The code is scratched immediately after it's used in wow.

I've tested with two machines and my two accounts, entering the same authenticator code for both accounts and hit enter on both machines at the same time. One gets in, the other gets a message claiming I used the wrong password.. One time use only!

Battle.net doesn't invalidate your code after use, that's why it's a great idea to invalidate the code manually afterwards by logging into wow..

Comment by Convertibull

on 2010-01-13T20:59:32-06:00

I used a phone app authentiator back when i had my n95, but i've since switched phones to an n900 and theres no app for it. I'd certainly use one again should an app become available. I never found it be a problem or hastle, and it does give piece of mind, also with it being on the phone I'd always have it in my pocket, whereas if i used one of the keyring ones i just know I'd misplace it :)

Comment by darth603

on 2010-01-13T21:09:01-06:00

Having been a member of a guild damaged by Authenticator-related drama, my answer is a resounding HELL NO.

Being forced to wait until midnight for a raid that's scheduled to start at 8:00 PM because the guild's only main tank is "having Authenticator problems and is having trouble logging on, but he's our best tank and we can't promote player X to main tank despite their better gear" really really sucks. I'd rather not have the same issue myself.

As for people "needing" one? Maybe you should try a reasonably secure OS instead of Microsoft's garbage du jour. And practice reasonable security procedures, like not falling for every single keylogger spam that comes down the tube.